Increasing CFAA Penalties Won't Deter Foreign "Cybersecurity" Threats

In the last three months alone, the House has released three different cybersecurity bills and has held over seven hearings on the issue. In addition, the House Judiciary Committee floated changes to the Computer Fraud and Abuse Act (CFAA)—the draconian anti-hacking statute that came to public prominence after the death of activist and Internet pioneer Aaron Swartz. Politicians tout this legislation as necessary to protect against foreign threats every single time they introduce a bill with “cyber” somewhere in the text. And it comes as no surprise that everyhearing has opened up with a recap of computer security attacks faced by the US from China, Iran, and other foreign countries.

For many politicians "cybersecurity" is also synonymous with increasing penalties for computer crimes. The CFAA proposal floated last week expands the already broad scope of the CFAA, increases the prison time for violations, and criminalizes new actions. Politicians from both parties believe—despite research saying otherwise—that increasing penalties will serve as a deterrent to foreign crimes. Just last year, President Obama, Senator Leahy, and House Republicans all proposed expanding the reach of the CFAA by increasing its penalties. With your help these attempts were defeated when we killed the cybersecurity bill in the Senate.

Why Increases Won't Deter Foreign Threats

Increasing penalties in the CFAA won't serve as a deterrent to foreign threats. Many foreign hacks—like the ones revealed in the recently released Mandiant report—are not private individuals, but are state or quasi-state sponsored citizens. In talks, politicians often cite the recent hack of a Saudi oil Company called Saudi Aramco. But the hack is thought to be from a quasi-state sponsored Iranian group. And the US will find it hard, if not impossible, to extradite Chinese or Iranian state-sponsored computer hackers. In the case of China and Russia, there are strong legal prohibitions that bar the government from handing over a citizen to another country.

The US would also have a hard time prosecuting civilian foreign citizens. In recent memory there have been only a handful of CFAA extradition cases. In one potential case—the infamous "ILOVEYOU" virus—the FBI said that suspects are generally prosecuted in the country they're found. This means that the CFAA wouldn't be used. The larger Department of Justice manual concerning extraditions lists factors leading to an extradition, but warns prosecutors: "appeals and delays are common." In general, there have been very few successful extradition cases based solely on the CFAA.

Just last year, the US tried to extradite Gary McKinnon under the CFAA for allegedly accessing US military computers. The US government labeled McKinnon as one of the "world's most dangerous hackers," yet it was unable to persuade one of its closest allies, England, to extradite him. McKinnon's case is just one recent example of the difficulties the US government faces when trying to prosecute foreign online threats with US domestic law.

In 2011, Michael Chertoff, the former secretary of the Department of Homeland Security, made these same exact points. While discussing the CFAA and foreign cybersecurity threats, Chertoff noted:

The problem is a lot of the activity is overseas, and we are not going to find the people who do this stuff because they are never coming over to the United States. And, frankly, in some countries there is not a lot of interest in cooperating with us.

In addition, former Justice Department prosecutor and CFAA expert Orin Kerr wrote last week that Congress and the Justice Department seem to be pushing these changes despite the fact that sentences are already very tough, and without any evidence that judges that preside over computer crimes cases think are necessary:

[H]ave there been any cases in which judges maxed out the current sentences, suggesting that if they had the power to do so they might have wanted to sentence a defendant to a greater punishment? Or is Congress considering increasing the allowed penalties under the CFAA with a complete absence of evidence that any federal judge anywhere has ever found the current statutory maximum penalties too low in any actual case?

The facts are clear: Increasing penalties and expanding the scope of the CFAA won't deter foreign threats—the main reason politicians cite for cybersecurity legislation that increase penalties to the CFAA—and it's unclear if it will deter any threats at all.

Where We Need to Go

This year, in the wake of Aaron's death, advocates fighting to change the status quo have even more reason to enact serious reform. Congress should reform the draconian CFAA by narrowing its scope and reducing its penalties. Rep. Zoe Lofgren has proposed Aaron's law, which seeks to pass language already reflected in judicialdecisions and clarifies that violations of a terms of service are not a crime. EFF's own proposal goes beyond this. Our changes aim to protect innovation and decrease the penalties found in the law.

Politicians shouldn't misinterpret reforming the CFAA with being "soft on crime" or with facilitating more foreign attacks. Even domestically speaking, prosecutors have a number of laws to choose from. CFAA reform has been long overdue. Courts like the Fourth and Ninth circuits are already narrowing the law. It's time for Congress to follow their lead. Help support CFAA reform by telling your Representative to support reform.

Related Updates

There is very little doubt that Equifax’s negligent security practices were a major contributing factor in the massive breach of 145.5-million Americans’ most sensitive information. In the wake of the breach, EFF has spent a lot of time thinking through how to ensure that such a catastrophic breach doesn’t happen...

This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders...

Attorney General nominee Sen. Jeff Sessions is testifying in front of the Senate Judiciary Committee today as part of his confirmation process. EFF has voiced concerns about President-elect Donald Trump’s nomination of Sessions to lead the Justice Department, citing past statements he has made and votes he has cast on...

"So one undereported aspect to the Safe Harbor decision is that much of it hangs off the judgement by the ECJ that it's the United States' existing surveillance laws that are the problem, not just the companies' compliance with EU privacy law," says Danny O'Brien, international director of the Electronic...

The White House endorsed the bill even before it passed the Senate, so it was no surprise that the president signed the must-pass federal budget bill to which the House of Representatives added CISA in December. And while the White House previously identified the need for...

Privacy advocates expressed dismay with this latest version of the legislation, particularly the opaque way in which a small group of lawmakers drafted the final version of the measure and then incorporated it into a colossal spending bill. "Such key legislation should not be sandwiched into the omnibus or a...

Today, House leadership released text of the 2016 "Omnibus package." The legislative package is supposed to deal exclusively with funding the federal government through 2016; however, leadership also managed to include a dangerous cybersecurity "information sharing" bill. The cybersecurity bill is a combination of three bad cybersecurity bills...

Update: The final text of CISA is being negotiated right now. Take action here.
CISA passed out of the Senate by a disappointing vote of 74-21 last week. The bill has already passed out of the House, and now it goes to a conference committee to work...

IF THE ZOMBIE HORROR GENRE teaches us anything, it is never to celebrate too soon. Beware the hubris of a character who walks from the graveyard victorious, failing to anticipate an undead hand pushing up through the soil. And so it was with defeat of the Cyber Intelligence Sharing...

Tonight’s Rumble discusses Paul Ryan becoming the next speaker, John Kasich’s lashing out at his rival candidates, and whether Trump is done. Thom talks about the Senate’s passing of the Cybersecurity Information Sharing Act (CISA) with the Electronic Freedom Frontier’s Nadia Kayyali, and in tonight’s Daily Take Thom discusses the...